1
“Risk Assessment in the ‘Internal Audit’ Department – A practical approach!
Article by M RAJESHWARON General Manager (Management Audit) - EID Parry
Introduction Have we, as Internal Auditors, at any point of time stopped for a while and looked at our ‘own’ risk management strategies? I thought, through this article, I would share some of my thoughts on this subject. As Internal Auditors, we are expected to play a vital role in the organization in the area of Risk Management. The focus on this role will depend on the “risk management status” in the organization. For example, if there exists a structured system of Risk Management in the organization, then the Internal Auditor takes the role of a continuous reviewer, providing the management an on-going advice to improve the existing risk management system. On the other hand, if the organization is in its infant stage of implementing a risk management system, then he works with the management in providing value addition for a robust risk management system in the organization. He then becomes a ‘facilitator’ than a fault finder coming at the end and communicating on the inadequacies. Of course, this role will be played keeping in mind the ‘independence focus of audit’. While he projects himself as a ‘facilitator’ or an effective ‘Risk Assessor’, in the organization, it is very essential that he understands the ‘risks’ in his own Internal Audit Function and manage them more effectively. This article dewels on the ground work required for establishing a proper risk management process in the internal audit department. The format I have adopted for this article is :
(A) mapping the Internal Audit processes and the inherent risks in them (A Question – Answer section)
(B) depicting the risk matrix for an Internal Audit department (This matrix is
independent of the details discussed in (a) above) While writing Section (A), I have kept in mind our Internal Audit Organization (EID Parry) to facilitate easy flow of thoughts. Since the answers to these questions would become the basis for developing an actual ‘risk matrix’ for a particular audit department, it is expected that the Internal Auditors ensure compiling this data relevant to their own working environment. Section (A)
2
“Questions & Answers” for clearly understanding the ‘risk scenario’ prevailing in an Internal Audit Function 1. What are the key objectives of your Internal Audit Department?
(a) Long-term objectives ?
To Provide “World Class Internal Audit Services” (b) Short-term objectives? “To play an effective role in the organization as internal consultants, guided by the
philosophy of adding value to improve the operations of all the Business units” and provide assurance to the management on Risks, Controls & Governance.
(c )Every day objectives?
Properly intertwine work schedule and the above objectives of (a) adding value to improve the operations of the organization and (b) evaluate on a continuous basis the internal controls operating in various business operations of the organisation based on proper risk analysis and also review the effectiveness of the governing processes.
Assist the line management in translating the agreed recommendations into results by extending support through collaborative efforts.
Endeavour to continuously assess and improve the quality of people, process and deliverables to achieve these objectives.”
2. What are the activities that are getting covered under your Internal Audit?
Review Activities • Assurance
* General Auditing (Audit of non-Technical Operations)
- Issue based assignments /Location specific operational audit assignments - Compliance Audits (Internal / Statutory) - Project / CAPEX Audits - Review of Financial Reporting system - Specific Functional Area Audits (Insurance, Taxation, Secretarial, Funds
Management etc.) * Information Systems Auditing & Control evaluation
- ERP related area reviews - Legacy Systems Reviews - Information System Division’s Activities reviews
3
• Consulting
* Technical Consulting (Audit of Technical Operations)
- Energy & Fuel Audit (Steam / Power / Renewable Energy / Fossile fuel ‘POL’ (Petrol, Oil & Lubricants) / Motors / Pumps / Compressed air / Insulation / Water etc)
- ‘SHE’ Audit - Physical Assets Management / Maintenance Audit (Civil, Mechanical,
Electrical, Instrumentation) - Production Process Audit (Input / Output, Mass Balance etc.)
* Business Consulting
- Improvements in Business profitability - Marketing Activity Improvements - R & D Activity Reviews - Human Resources effectiveness of processes
Facilitating Activities • Internal Controls / Corporate Governance Promotion
* Systems / Self Audit Process
- Delegation of Authority Manuals compilation / Facilitation - Assistance & guidance to Business Units in Divisional system manual
preparation & Self Audit process
* Corporate Governance Support
- Facilitation for putting effective Internal Control system across business locations
- Need based investigation assignment execution - Conducting awareness program on Values & Beliefs / Code of Conduct,
Ethics Policies, Fraud policies etc. - Promoting Good governing process at all levels
* Acting as Central repository of Business Knowledge as acquired through
various Audit Assignments 3. Have Internal Audit procedures been developed, documented, authorized,
implemented, and adequately communicated to all departments?
4
Yes. Ours is an ISO 9001: 2000 Certified Audit Function. We have an approved Apex Quality / Procedures Manual. Manual shared with all Business Divisions and also placed on the Intranet Home Page of the Internal Audit Division.
4. What is the process followed for approval of the internal audit plan? A detailed risk based audit planning exercise is done in consultation with the audit customers at the year beginning and the key focus areas are determined. The Audit Plan is reviewed by the CAE (Chief Audit Executive) along with the Audit Customers, changes and comments are incorporated as per customers’ requirements. The CAE then finalises an Audit Focus document for the ensuing year and puts up to the Audit Committee for its formal approval. (For conducting this exercise standard Risk based Audit Planning software is deployed)
5. How is the system of co-ordination achieved with the other departments ie. Your
audit customers? Structured involvement of Audit Customers at the, * Audit Planning stage * Pre-Audit stage * Final Audit discussion stage * Follow up stage * Audit Committee Discussion stage
6. To what level does the internal audit observation get elevated?
All audit observations will be discussed with Senior Management of the Business and the Significant audit observations / unresolved issues and areas where the Internal Auditor feels that the residual risk is high in his opinion will get escalated to the Audit Committee. Broad materiality parameters used for this purpose.
7. What is the process of follow-up for the observations in internal audit?
All agreed audit recommendations will be converted into ‘Tasks’ which will be placed on the automated audit process management software system called “WEBMARS”. WEBMARS will trigger mail messages at various stages as follow-up reminders for completion of all tasks. Close monitoring of this system will ensure completion of all tasks in the normal course. The system also generates Task Status reports for appropriate escalation. A detailed follow-up audit also takes place during the next cycle of audit to ascertain the status of all pending issues. Periodical Action Taken Report (ATR) is also solicited from the auditee departments.
8. How does the department ensure completeness of all areas planned? * The comprehensive audit plan with areas such as Technical, Systems and General
Auditing and the structured Risk area analysis is discussed & agreed by auditees at the beginning of the year.
5
* Mid Audit Reviews and Audit Process management mechanism help in identifying gaps in execution.
* Additional resources required are deployed through internal / external skill sourcing
wherever required. * Periodical internal review meetings ensure a ‘progress chasing’ system. 9. How would you rate the independence of the department? Whom do you report
to?
* Board grants and Management acknowledges to the Internal Audit Function full and complete access to all records, personnel, physical properties or information of the organisation deemed necessary in accomplishing its audit activities. This is part of the Audit Charter approved by the Board.
* Audit staff have no direct responsibility for or any authority over the activities that
they review.
* The CAE reports to the Audit Committee Chairman - functionally and administratively to the Managing Director of the Company.
* Audit Team is encouraged to report all those issues which in the Internal Audit’s
opinion deserves top Management attention. The above conditions ensure full independence of the Audit Team.
10. What are the significant reportings that have come up? * These vary from suggestions for operational improvements to process improvements
to high cost saving potential to escalating a High Risk Area. It also includes reporting on efficiency improvement in certain functions as well as effective facilitation / co-ordination among Business Units to achieve synergies.
11. Is there a budget prepared for your department?
Yes, The Financial Budget is made as soon as the Audit Plan for the year is freezed by the Heads of all the three Audit Functions namely General Audit, Systems Audit & Technical Audit. This is then cleared by the CAE and put up to Management / Audit Committee for approval.
12. How is your budget reviewed and monitored? What is the frequency of such review?
The financial Budget is compared with actuals on a monthly basis and reviewed by the CAE. This is also reported in the Audit MIS folder.
6
13. What kind of Reports / MIS is generated by the Internal Audit department? What is the frequency of generation and review of these reports? MIS reports are prepared on a monthly basis for the three streams of Management Audit ie. General Audit, Systems Audit and Technical Audit. The contents of these reports include status of all audit assignments, planned assignments vs actual assignments taken-up, details of training programmes undertaken and action plan for implementation of learnings, financial expenditure incurred against budget, Status of cost savings recommended vs implemented and any other important milestones crossed by these three streams of Audit in developing / strengthening the audit processes
14. What key statistics / measures do you use to gauge the performance of your area?
(any comparison with international norms/benchmarks) * The division has adopted the Professional Practices Frame Work (PPF) issued by
the Institute of Internal Auditors Inc. the only global body promoting the profession of Internal Auditing.
* The Division is an ISO 9001:2000 certified organization and periodical
Surveillance audits are conducted to ensure compliance with all the quality process requirements.
* “WEBMARS” (an Audit Process Management Software) depicts the on-going
progress based on which performance against targets are monitored. * Measurement of Performance (MOP) model adopted for the Department also helps
in evaluating the Division’s performance on a year to year basis. The Internal Audit Balanced Score card system helps in collecting inputs for this measurement.
* At the end of the year a ‘customer satisfaction’ survey matrix is also prepared (as
part of the ISO Quality System) for taking corrective actions. This also becomes a basis for evaluation.
(Periodically the above measures are compared with global best practices) 15. What are the significant theoretical risks associated with your area of operation?
* Risk of inadequate audit coverage * Risk of not identifying the right areas for audit * Risks of audit completion delays * Risks of deploying incompetent audit teams conducting audits * Risks of gaps in the knowledge / skills possessed by Team Members * Risks of not being able to balance between conflicting customer requirements * Risks of not using appropriate IT Audit Tools * Risks of not having a structured Audit Systems / Processes * Risks of not accepting a challenging assignment when offered * Risks of not meeting Standards, SEBI guidelines, Audit Committee requirements
7
* Risk of not studying / adopting to the Corporate culture / Organisation Dynamics * Risks of not knowing the ‘best practices’ in Internal Audit * Risks of not getting adequate ‘resources’ for audit * Risk of not ‘innovating’!
16. How would you classify these risks into the following categories?
People?
Eg: * Risks of deploying incompetent audit teams conducting audits * Risks of gaps in the knowledge / skill possessed by Team Members
Processes?
Eg: * Risks of audit completion delays * Risks of balancing between conflicting customer requirements * Risks of not using appropriate IT Audit Tools to capture relevant data for forming an audit opinion
Systems?
Eg: * Risks of not understanding Business Systems / Controls * Not having a structured Audit Systems / Processes
Competition?
Eg: * Risks of not accepting a ‘challenging assignment’ when requested. * Risks of not keeping abreast of development in Internal Audit Profession.
Regulation?
Eg: * Risks of not evaluating compliance with Standards, SEBI guidelines, Audit Committee
requirements
Corporate Culture?
Eg: * Risk of not studying, understanding & adopting to the Corporate culture, Code of
conduct, Ethics Policy etc.
17. What would be the impact of these risks and the likelihood of the risk occurrence? Eg:
8
Impact : Could be severe in the case of Audit knowledge / skill level related risks as this will directly affect the Audit deliverables. Likelihood : risk happening will be certainif no proper care is taken at the recruitment, on the job moitoring and year end performance stages. 18. What do you consider to be the key controls over these risks? [Issues discussed in
(17) above]
People? * Adopting the Audit Skill Matrix at entry level, middle level & at Senior
levels * Structured Training – Cognitive / Behavioural skills * Continuing Professional Education for Team Members * Team Members exposure to leading Professional organisations for
knowledge updation / Best Practices sharing
Processes?
* Dynamic Audit Processes with adequate process controls built in. * ISO 9001 :2000 requirement compliance & periodical external audits * Professional Practices Adoption / Monitoring * Proper assessment of ‘Customer requirements’ and need based focus on
varied expectations. * Customer Feedback system / corrective action monitoring Systems? * Proper updation of ‘Business Knowledge’ by all Team Members * Comprehensiveness of Audit Plans & Timely Execution * Guest Audit Pool expertise for specialized areas (in-company experts
team) Competition? * Readiness to face new audit requirements / continuous skill updation. * On-going enhancement of Audit Activities in different areas Regulation? * Appropriate training to Audit staff, organizing internal seminars on topical subjects. * Close co-ordination with Corporate Secretarial, Legal & Taxation Services
9
Corporate Culture?
* Internal Team discussions on Corporate culture, understanding the Organization’s Values & Beliefs.
19. How would you rate the effectiveness of the key controls in your organisation? 1. Excellent 2. Very Good 3. Good 4. Fair 5. Poor
2. Very Good
20. How do you identify, evaluate, and monitor / control these risks?
Meetings? * Monthly MIS Review Meetings * Quarterly Management Review Meetings * Audit Committee Meetings * Audit Customer Feedback during periodical Meetings / Presentations Quantitative/Qualitative Analysis?
* Customer Feed Back Index (Quantified) * Quantification of Audit Benefits * Skill Matrix for Team Members * Audit Performance Measurement Format * Audit Plan vs Actual Execution statistics
Internal Reports? * Monthly MIS Reports * Annual consolidation reports * Training Programme / Action Taken Reports schedules * Planning Documents * WEBMARS – Status Reports on various Audits * Team Member Performance Appraisal Reports External Information?
* IIA Inc. (Institute of Internal Auditors) guidelines * Best Practices from Research work done by Professional Organisations * Experience Sharing Workshops * Study Reports on the Profession * World ‘CAE’ Forum – (‘CAE’ is a member of this forum) * ISO Quality Auditor - Reports
21. What recent or planned changes are there in your area of responsibility?
10
* Audit Customer base enlarged. * Additional responsibility of providing support to Group Companies. * ‘WEBMARS’ – the internally developed software application is going to be
marketed by the Division to outside Professionals / Companies * Technical Audit stream got the approval for conducting mandatory Energy Audits
for HT Industries - A revenue model emerging. 22. What issues result from:
Complexity or size of the operation? * Requirement for more number auditors with special area skills * Time management in preparing for and attending Audit Committee
Meetings on a quarterly basis * On-going updation of status on Audit issues * Comprehensive coverage of all locations
Communication of information between business functions / operational units?
* Parallel Communication with different layers of management across
geographically dispersed units in terms of key audit issues on a timely basis has impact on timely reporting, accuracy, correct status etc.
23. Is the current “Delegation of powers” adequate or commensurate with the
Division’s objectives? * Yes – Independence & Objectivity of the function facilitated through adequate and
defined Responsibilities / Authority - Audit Charter & Structured Reporting lines 24. Are you comfortable with the current level of computerization and the adequacy
of hardware and software in the performance of your function?
Yes – All the Team Members have computers - “CAATS” softwares effectively used by Team Members.
25. Are you using any application tool in the performance of the function?
Yes – Internally developed Audit Process Management Tool (WEBMARS), Risk Ranking Tools, Control Evaluation Tools and Transaction Analysis Tools are deployed.
26. Is there an Ethics or Business Conduct policy? What is your understanding of the
Company's Ethics Policy and Code of Conduct?
11
* Individual & Business Ethics well understood by all Team Members. Regular internal discussions take place on this subject. IIA’s / ICAI’s Code of conduct & Company’s Values & Beliefs statements, Policies etc. are read and understood by all.
27. Do you know how to voice ethical concerns? Do you feel comfortable voicing
ethical concerns? * Yes – The ‘Whistle Blower’ Policy (CARO) when fully implemented will provide the
methodology, protection and a structured process for all whistle blowers. Audit supports this initiative in taking up, investigating complaints in a logical manner through appropriate audit methodology.
28. Has any concern on ethical issues been raised over the past two years and how has
the same been addressed? * No such instances 29. What, in your view, are the strengths and weaknesses of the Ethics Policy and
Code of Conduct? Strengths * Positive outlook * Professionalism * Transparency Weaknesses * May be looked at as a threat by the reporting employee * May have impact on the ‘Trust’ aspect * All ‘People’ may not understand / perceive the implications of this policy effectively. 30. How do you monitor implementation of changes, if any, to Management policies
and procedures? Changes in the management policies and procedures are communicated to Audit Division and a compliance review is under taken for evaluating the effectiveness of implementation of all changes
31. Do you have all the resources you need to effectively perform your job – in terms
of manpower, infrastructure and support facilities? Yes, We have. 32. Do you outsource a part of your activity? What is the process followed in the
selection and approval of such source?
12
Yes, part of our activity is co-sourced. In order to identify the right source, first the requirements are analyzed for various types of audits planned for the year. Then from the data bank available with the Division, the outside service providers are evaluated and selected to match with the above requirements. (The outside service providers data kept updated in the Division on a continuous basis during the year, before engaging them for assignment). There is a structured evaluation process to decide the appropriateness of the co-sourced agency. There is also a continuous monitoring mechanism and an year end evaluation system for such outsourced services. (The above system is a subject of ISO Quality Audits under supplier evaluation)
33. How do you find the morale in your area? What do you attribute this to? * Independence & objectivity for Auditors have to come from within first * Honesty and characters are very important * Both at entry level as well as during the tenure - effective assessment is done and
feedback given to all Team Members * An on-going performance appraisal also facilitates this. * Due to the challenging work environment & empowered situation, the ‘morale’ is high
in the Division 34. What training, formal or informal, is offered to employees who report to you? Do
you participate? * Structured Training Plan (External as well as Internal) exists. Formal Feedback sheets
prepared by Team Members and this helps in monitoring. Skills are divided into two categories for training purposes
i. Cognitive skills and
ii. Behavioral skills. Wither support from Corporate HR the programs are conducted. 35. What metrics do you use to evaluate your staff who report to you?
(1) Key Result Areas and Personal Objectives identification for all the Team Members at the year beginning. Continuous assessment of this with the help of Corporate Personnel and year end rating.
(2) Number of Training Programs attended in the areas identified for further
development.
(3) On-going Feedback by CAE / Actions Plan by Team Members
13
(4) Training Activity based on the earlier year’s appraisal document for all team members
(5) Continuous bench marking with Brikket etel. 1999A study on ‘Skills required for
Internal Auditors (entry level, middle level & senior level) a document released by IIA, USA.
(6) Team members are encouraged on the ‘self learning’ process by motivating to
pursue professional courses in their respective work areas. (7) Team members participate in Professional Workshops / Seminars / Conferences as
participants as well as faculty. Technical skill development programs are identified by CAE whereas the Behavioral related skill develop is done by the Corporate Personnel.
(8) Periodical administration of personal quality / skill testing methodology with the
help of corporate personnel and evaluation of the same.
36. Who evaluates your performance and what are the key components?
* Self Appraisals completed by the individual & submitted to the Initiating Officer (immediate boss) and then it goes to the Reviewing officer.(Boss’s Boss)
* Functional Reporting officer’s form will directly go to the Reviewing Officer (Officer who had interacted more during the year with the Executive)
* Reviewing Officer will finally approve the ratings and forward to Corporate Personnel.
* PARC (Performance Appraisal Review Committee) will meet during June every year and finally approve the ratings for the Executive.
* Periodical – 3600 feed back and other HR evaluation methodologies are
undertaken to measure soft skills.
On Data Collection: The Questions with sample answers given above are only illustrative. Each Internal Audit Department could attempt to ask similar questions and provide answers pertinent to their work environment. This will become the basis for developing a risk assessment model for the Division. The purpose of a very detailed information as above is to identify all the risk elements and list them down activitywise. After analyzing the answers to the questions as above the key risk areas should be identified and listed. Then a risk matrix as shown below could be prepared to understand the high, medium, & low risk areas.
14
Section (B) A Sample Risk Matrix (Independent of the environment described in the foregoing Question & Answer session)
The above boxes can then be classified into 1,2,3 categories denoting High, Medium & Low risk areas. Way Forward : Once risks are classified as above, the control mechanism in operation in the Division to address them need to be plotted against each such risk area. This would then lead to a list of risk mitigation actions.
Catastrophic
*Gaps in Audit Technology
Major
* Risks connected with not understanding the customers' expectations
*High dependency on external resources
Moderate* Inadequate Resource Allocation
* Skill sets of Audit Team Members
Minor
Insignificant
Rare Unlikely Moderate Likely Almost Certain
SIG
NIF
ICA
NC
E
"Risk Exposure Matrix"
3 2 1
* Balancing between Assurance Audits & value added audits
15
The actions would focus on bridging the gaps in the above selected areas. This exercise needs to be repeated every year so that the trend could be captured and continuous corrective actions / improvements take place in the Internal Audit Department. Like any other system this also needs to be audited by a ‘third party’ at periodical intervals. This structured methodology in the ‘Internal Audit Department’ will thus effectively demonstrate that the Internal Audit Team practices what it preaches to all its Audit Customers.
------